Testing for Cross Site Scripting Vulnerability

Cross-site scripting (also known as XSS or CSS) occurs when a Web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink that contains malicious content within it. Dynamic pages that are vulnerable to this hack include search results, error messages and Web-form results pages that echo data entered by the user.

After collecting data from a user, a Web application may create an output page for the user--such a page may contain the malicious data that was originally sent to it, but in such a way as to appear to be valid content from the Web site.

An attacker who uses cross-site scripting successfully might compromise confidential information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user or execute malicious code on the end user's computer.

Step 1. Open the Web site in a browser.

Step 2. Locate a search box or login page.

You'll specifically want to find an interactive page that accepts the data you input and displays it back to you on a results page. Search functions and registration or login pages are likely spots to check.

Step 3. Begin testing.

Once you have located a search engine or login form, type the word test into the search field or login name.

Step 4. Send request.

Press the Enter or Return key. This will send your request to the Web server.

Step 5. Determine possibility of cross-site scripting vulnerability.

Note whether the results repeat the text that you entered, as in the following examples:

"Your search for 'test' did not find any items"

"Your search for 'test' returned the following results"

"User 'test' is not valid"

"Invalid login 'test'"

If the word test appears in the result page, then your site offers an entryway for cross-site scripting.

Step 6. Submit an actual script to the Web site.

To test for cross-site scripting, input the string <script>alert('hello')</script> into a submission field, in much the same way you entered test in Step 3. Press the Enter or Return key to send your request to the Web server.

Step 7. Determine whether vulnerability exists.

If the server responds with a popup box that displays the word "hello," then the Web site is vulnerable to cross-site scripting.

Sometimes a popup window may not launch even though the site is vulnerable. You may have to search the HTML source of the page. Go to View | Source in Microsoft Internet Explorer or View | Page Source in Netscape. In the document that opens, search for the phrase

<script>alert('hello')</script>

and click the Find Next button. If the text is found, then the Web server is vulnerable to cross-site scripting.

As Statistics Editor of Baseline magazine, Regina creates interactive tools, worksheets and project guides for technology managers. Before joining Ziff Davis, she worked as a technical program manager for a database company, where her projects included data management applications in XML, Java, Visual Basic and ASP. Her other experience includes running the new media department at Christie's Inc. and writing and editing for Internet World and PC Magazine. Regina received a B.A. from Yale.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.